How is CVE-2026-11680 exploited?

Network reachability (required): The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable or browsable from the public internet or an internal network. Authentication (not-required): No account or credential of any kind is needed; the attacker only needs the victim to load a page. Victim interaction (required): The victim must open or be redirected to an attacker-controlled HTML page, making this a social-engineering or drive-by delivery scenario. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-11680?

The attacker executes arbitrary code inside the Chrome renderer sandbox on the victim's Windows host. Confidentiality impact is high: the attacker can read data accessible to the sandboxed process, including in-page credentials and session tokens. Integrity impact is high: the attacker can write or modify data within the sandboxed process, including DOM state and locally cached content. Availability impact is high: the attacker can crash or hang the affected Chrome process, disrupting the user's browsing session.

Back to search

HIGHCVE-2026-11680Published 2026-06-08Modified 2026-06-09CNA Chrome

CVE-2026-11680: Use after free in Media in Google Chrome on Windows prior to 149

Use after free in Media in Google Chrome on Windows prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 149.0.7827.103
Affected Products: 1

HarborGuard Analysis

Synopsis

A use-after-free vulnerability exists in the Media component of Google Chrome on Windows in versions prior to 149.0.7827.103. The flaw is reachable over the network and requires no authentication, but the victim must visit a crafted HTML page. Successful exploitation gives a remote attacker arbitrary code execution inside the Chrome sandbox. A patched-image rebuild at version 149.0.7827.103 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11680 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle a Chromium or Chrome binary. Coverage extends to both registry scans and in-pipeline image checks at build time.

Available

Triage

Triage is available with the full CVSS v3.1 score of 8.8 (HIGH) applied automatically, weighted against each customer org's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

A patched-image rebuild at Chrome 149.0.7827.103 becomes available on HarborGuard for any image found to carry an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test pass, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker delivers the exploit over the network by directing the victim to a crafted HTML page, so the Chrome instance must be reachable or browsable from the public internet or an internal network.
AuthenticationNot required
No account or credential of any kind is needed; the attacker only needs the victim to load a page.
Victim interactionRequired
The victim must open or be redirected to an attacker-controlled HTML page, making this a social-engineering or drive-by delivery scenario.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

The attacker executes arbitrary code inside the Chrome renderer sandbox on the victim's Windows host.
Confidentiality impact is high: the attacker can read data accessible to the sandboxed process, including in-page credentials and session tokens.
Integrity impact is high: the attacker can write or modify data within the sandboxed process, including DOM state and locally cached content.
Availability impact is high: the attacker can crash or hang the affected Chrome process, disrupting the user's browsing session.

How HarborGuard Handles This

Available on HarborGuard: the CVE is matched against every scanned image within minutes of publication, flagging any image that ships a Chrome or Chromium binary below version 149.0.7827.103 on Windows. For customers with auto-remediation enabled, HarborGuard rebuilds the image at the patched version, runs a regression suite, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image is queued and the finding is routed to the appropriate team inbox with full CVSS context attached. Customers who cannot immediately redeploy should consider network-policy controls that restrict which container workloads have unrestricted outbound browser access, reducing exposure while a rebuild is reviewed.

See how HarborGuard automates this

Fix available

149.0.7827.103

Affected packages

Google / Chrome
< 149.0.7827.103 (from 149.0.7827.103)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available